U2F (Universal 2nd Factor) is a universal authentication standard that provides an additional layer of security for online accounts. It’s the addition of something a user has (physical security key) with something the user knows (password). U2F, while still considered a multi-factor authentication method, is much stronger than traditional MFA methods such as security questions or one-time passwords, which can be stolen or intercepted.
The U2F standard was developed by Google and Yubico and is championed today by the FIDO Alliance, an open industry association focused on reducing the world’s excess dependence on passwords. U2F has been adopted by large services such as Gmail, Facebook, Dropbox, and GitHub.
U2F is a physical multi-factor method that provides a strong, additional layer of security to a traditional password. Entering a correct password begins the authentication process, but then a cryptographic challenge is sent to a physical device, normally a security key plugged into a USB port, where the user responds by tapping the device thus confirming the authentication process. U2F makes use of public key cryptography, storing the private key securely on the security key and the public key at the origin of service.
FIDO U2F has now evolved into FIDO2. FIDO2 extends the functionality of U2F with passwordless login flows with its main component, WebAuthn. The U2F standard remains, but has been relabeled CTAP1 (Client to Authenticator Protocol). CTAP2 was also introduced which is the same as U2F but now allows for mobile devices as external authenticators.